On 31.03.2010 15:43, Paul Wouters wrote: > On Wed, 31 Mar 2010, Bernhard Schmidt wrote: > >> It occasionally happens after about one to two weeks of uptime that I >> cannot query any .de domain anymore. All of the sudden the log is full >> of validation errors > >> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust >> anchor -- DNSKEY rrset is not secure <de. DNSKEY IN> >> Mar 30 21:06:10 svr01 last message repeated 2 times >> Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust >> anchor -- could not fetch DNSKEY rrset <de. DNSKEY IN> >> Mar 30 21:06:10 svr01 last message repeated 2 times >> >> The process has been running untouched since March 21st. >> >> I raised this on the DENIC ml. Peter Koch told me that he sees queries >> from my IP address without the OPT-RR (so no EDNS and no DO) during >> that timeframe. Which would of course mean that Unbound would not get >> any DNSSEC records, so complaining is a good plan indeed. > > Did you check the ntp/clock settings on the machines involved? Well, ntpd is running, shows no errors and the timestamps in the logfile (see above) are continous and without any (big = >5min ) jumps. > You might need to add a lot of verbosity to get more logs out of > unbound. Or if you still have that instance, running, use > unbound-remote to dump the cache to a file and we might be able to > get more information out of it. Will do it the next time it happens. Bernhard